Expense Tracker
v1.0.3Just say what you spent — your AI logs it, categorizes it, and tracks it against your budget. No apps, no forms, no friction. Supports natural language like...
⭐ 0· 549·0 current·0 all-time
byNick@nicholasrae
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description claim a local expense tracker and the code matches that: all scripts read/write a local ledger and local reference files. However, the skill metadata lists no required binaries while README and the scripts require jq (and README also lists bc). That mismatch is unexpected but consistent with the skill's function (jq is needed to manipulate JSON). Also the SKILL.md header version (1.0.2) differs from the registry version (1.0.3) and the source/homepage are unspecified.
Instruction Scope
SKILL.md instructs the agent to parse natural-language inputs and run the included bash scripts. The scripts only read/write files under the skill directory (references/, expenses/) and do not perform network calls or access unrelated system paths. The scripts include input validation and take care to pass user data to jq via --arg/--argjson to avoid jq-injection.
Install Mechanism
There is no remote install/download step (instruction-only install), and all code is included in the skill bundle. This lowers supply-chain risk. No external URLs or archives are fetched by an install spec. You will need to place the folder into your skills directory manually per README.
Credentials
The skill requests no environment variables or credentials. That matches the local-only design. The only required runtime tools (jq, and optionally bc) are local utilities, not credentials. This is proportionate to the stated purpose.
Persistence & Privilege
always:false (default) and the skill does not modify other skills or global agent configuration. It stores data locally in expenses/ledger.json; this is expected persistence for a local tracker and does not grant elevated platform privileges.
Assessment
This skill appears to do what it says: it logs and reports expenses locally using the included bash scripts. Before installing: 1) Ensure jq (and bc if you want exact bc-based numeric outputs) is installed on the host — the skill metadata does not declare these dependencies even though the scripts require them. 2) Review the included scripts (add-expense.sh, query.sh, budget-check.sh) yourself — they run locally and write to expenses/ledger.json as plain JSON (no encryption). If your ledger contains sensitive notes, consider file permissions or storing the folder on encrypted storage. 3) Note minor inconsistencies: SKILL.md header version (1.0.2) vs registry version (1.0.3) and unknown source/homepage — if provenance matters, ask the publisher for a canonical source or signed release. 4) Because the agent can invoke skills autonomously (platform default), decide whether you want to allow autonomous operations that may append to ledger.json; if not, restrict invocation. Overall this is coherent for a local expense tracker but check dependencies and storage/permissions before use.Like a lobster shell, security has layers — review code before you run it.
latestvk974f5ma7caexnaxh4wj5j96h981h0r6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.